Detection of fake antivirus includes classifying text content of a user interface of an application program and scanning files associated with the application program for suspicious code. The user interface may be a graphical user interface (GUI) window of the application program. The text content may be obtained from a painted portion of the GUI window and by intercepting text changing operations performed on the GUI window. The text content may be input to a learning model to determine whether or not the application program belongs to the antivirus category. The application program is deemed to be fake antivirus when the application program is classified as belonging to the antivirus category and has a file with suspicious code.
|
1. A method of preventing reception of fake antivirus in a computer, the method comprising:
determining a reputation of a website;
classifying text content of a web page of the website in response to finding that the website has an unknown reputation;
finding that the website belongs to an antivirus category based on classification of the text content of the web page of the website; and
in response to finding that the website belongs to the antivirus category, determining that the website belongs to a legitimate antivirus vendor before allowing download of a file from the website to the computer.
2. The method of
3. The method of
4. The method of
|
1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting fake antivirus in computers.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malicious codes that have plagued computer systems throughout the world. Although there are technical differences between each type of malicious code, technology for detecting malicious codes is also generally referred to as “antivirus.” Malicious codes have become so widespread that experienced computer users have some form of antivirus in their computers.
Fake antivirus, also referred to simply as “Fake AV,” comprises malicious code disguised as an antivirus. Fake antivirus typically mirrors the layout and behavior of legitimate (i.e., non-malicious) antivirus, and is relatively difficult to detect using conventional antivirus technology. For example, conventional pattern matching algorithms may be employed to detect program icons and keywords in program shortcuts, registry, and files employed by fake antivirus. However, icons and keywords are easily changed by fake antivirus programmers, making fake antivirus difficult to detect by conventional pattern matching. Worse, fake antivirus may also be packed (i.e., compressed) as an executable file and use a legitimate-looking graphical user interface (GUI).
In one embodiment, a method of detecting fake antivirus in a computer includes retrieving text content of a graphical user interface (GUI) window of an application program, classifying the text content to determine that the application program belongs to an antivirus category, and scanning a file associated with the application program for suspicious code indicative of a fake antivirus. The application program is deemed to be fake antivirus based on a finding that the application program belongs to the antivirus category and the file associated with the application program has suspicious code indicative of a fake antivirus.
In another embodiment, a method of preventing reception of fake antivirus in a computer includes determining a reputation of a website, classifying text content of a web page of the website in response to finding that the website has an unknown reputation, and finding that the website belongs to an antivirus category based on classification of the text content. In response to finding that the website belongs to the antivirus category, the website is evaluated to determine whether the website belongs to a legitimate antivirus vendor before allowing download of a file from the website to the computer.
In another embodiment, a method of detecting fake antivirus in a computer comprises receiving text content from a user interface of an application program, finding that the application program belongs to an antivirus category based on a classification of the text content, and scanning a file associated with the application program for suspicious code indicative of a fake antivirus.
These and other features of the present invention will be readily apparent to persons of ordinary skill in the art upon reading the entirety of this disclosure, which includes the accompanying drawings and claims.
The use of the same reference label in different drawings indicates the same or like components.
In the present disclosure, numerous specific details are provided, such as examples of apparatus, components, and methods, to provide a thorough understanding of embodiments of the invention. Persons of ordinary skill in the art will recognize, however, that the invention can be practiced without one or more of the specific details. In other instances, well-known details are not shown or described to avoid obscuring aspects of the invention.
The computer 100 is a particular machine as programmed with software modules 110. The software modules 110 comprise computer-readable program code stored non-transitory in the main memory 108 for execution by the processor 101. The computer 100 may be configured to perform its functions by executing the software modules 110. The software modules 110 may be loaded from the data storage device 106 to the main memory 108. The software modules 110 may also be made available in other computer-readable medium including optical disk, flash drive, and other memory devices. In the example of
Referring now to
The antivirus 560 may comprise antivirus software for detecting fake antivirus. In one embodiment, the antivirus 560 comprises computer-readable program code configured (a) to get the contents (e.g., text) from the user interface window, e.g., GUI, of the target software, (b) determine the classification of the target software, (c) determine if files of the target software contain suspicious code, and (d) deem the target software as fake antivirus when the target software is classified as an antivirus and files of the target software contain suspicious code. An example high-level pseudo code for detecting fake antivirus is as follows:
In the example of
The antivirus classifier engine 508 may comprise computer-readable program code for classifying contents of user interface windows, such as the GUI of the target software (i.e., the software being evaluated). In one embodiment, the antivirus classifier engine 508 determines whether or not the target software belongs to the antivirus category based on the classification of the text content of the user interface window of the target software. Classifier algorithms that may be employed by the antivirus classifier engine 508 include Bayesian classifier and Support Vector Machine (SVM). For example, an SVM (or other classifier) learning model may be trained using text contents of user interfaces of known legitimate antivirus software. The learning model may also be trained using text contents of user interfaces of known fake antivirus. For example, the GUI of
The suspicious code inspection engine 511 may comprise computer-readable program code for detecting suspicious code in files associated with the target software. For example, the suspicious code inspection engine 511 may scan the executable file of the application 580. In one embodiment, the suspicious code inspection engine 511 is configured to identify files of the target software and scan the identified files for suspicious code. The files of the target software may be scanned for computer-readable program code that is not necessarily known malicious code but is indicative of fake antivirus. In one embodiment, the suspicious code inspection engine 511 scans the files of the target software for obfuscated binary code. Examples of obfuscated binary code include packed (i.e., compressed) code.
In one embodiment, the operating system 570 comprises the Microsoft Windows™ operating system. Accordingly, the following description provides programming examples for the Microsoft Windows™ operating system. As can be appreciated, embodiments of the present invention may also be employed with other operating systems without detracting from the merits of the present invention.
The flow diagram of
The application 580 renders its user interface by painting its GUI window on the computer screen (
The operating system 570 receives the painting messages (
In addition to painting text on the GUI, the application 580 may also set text on portions of the GUI by performing text change operations (
In the example of
The antivirus 560 gets the bitmap of the painting region of the GUI of the application 580 (
The antivirus classifier engine 508 determines whether or not the application 580 belongs to the antivirus category by classifying the text content of the GUI window of the application 580 (
The antivirus 560 deems the application 580 to be fake antivirus when the application 580 belongs to the antivirus category and one or more files associated with the application 580 contain suspicious code (
The antivirus 560 may be further configured to determine a reputation of a web host, such as a website. The reputation of a website indicates whether the website is a known good, known bad, or unknown website. When the user of the computer 100 clicks on a URL (uniform resource locator) of a website (step 701), the antivirus 560 determines the reputation of the website based on its URL (step 702). For example, the antivirus 560 may provide the URL of the website to a remotely located web reputation service, which maintains a reputation database. The reputation database may indicate whether the URL belongs to a known good website (e.g., legitimate websites) or to a known bad website (e.g., pornography, phishing, virus distributor, etc. website). It is also possible that the reputation database has no information on the website, in which case the website has an unknown reputation. The web reputation service returns the reputation of the website to the antivirus 560. The antivirus 560 may be configured to block communications with the website if the website has a known bad reputation (step 703) and to allow communications with the website (including downloading of files from the website) if the website has a known good reputation (step 704). As can be appreciated, rather than consulting a remote web reputation service to determine the reputation of the website, the antivirus 560 may instead consult a local reputation database.
When the website has an unknown reputation, the antivirus 560 may be configured to receive the text content of a web page served by the website. The antivirus 560 may input the text content of the web page to the antivirus classifier engine 508 (see
When the text content of the web page indicates that the website belongs to the antivirus category and the user wants to download files from the website (step 706 to step 708 to step 709), the antivirus 560 may determine whether the website belongs to a legitimate antivirus vendor. For example, the antivirus 560 may consult a local or remote database containing signatures, URLs, hash values, or other indicators of web pages/websites maintained by legitimate antivirus vendors to determine whether the website belongs to a legitimate antivirus software vendor noted in the database (step 709). If so, the antivirus 560 allows download of files from the website to the computer 100 (step 711). Otherwise, when the website does not belong to a reputable antivirus software vendor, the antivirus 560 blocks download of files from the website (step 710).
Otherwise, when the application program is classified as belonging to the antivirus category, the antivirus 560 initiates scanning of files associated with the application program using the suspicious code inspection engine 511 (step 806). The application program is not a fake antivirus when the application program does not have a file with suspicious code (step 806 to step 805). Otherwise, when the application program has a file with suspicious code, the application program is deemed to be fake antivirus (step 806 to step 807).
Techniques for detecting fake antivirus have been disclosed. While specific embodiments of the present invention have been provided, it is to be understood that these embodiments are for illustration purposes and not limiting. Many additional embodiments will be apparent to persons of ordinary skill in the art reading this disclosure.
Yeh, Che-Fu, Chang, Chia-Chi, Yen, Sheng-Chuan
Patent | Priority | Assignee | Title |
9058488, | Aug 14 2013 | Bank of America Corporation | Malware detection and computer monitoring methods |
9141797, | Sep 23 2011 | TREND MICRO INCORPORATED | Detection of fake antivirus in computers |
9363286, | Mar 20 2014 | AO Kaspersky Lab; Kaspersky Lab Zao | System and methods for detection of fraudulent online transactions |
9552479, | Aug 14 2013 | Bank of America Corporation | Malware detection and computer monitoring methods |
Patent | Priority | Assignee | Title |
5442699, | Nov 21 1994 | TREND MICRO INCORPORATED | Searching for patterns in encrypted data |
5452442, | Jan 19 1993 | TREND MICRO INCORPORATED | Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities |
5640492, | Jun 30 1994 | THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT | Soft margin classifier |
5649068, | Jul 27 1993 | THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT | Pattern recognition system using support vectors |
5907834, | May 13 1994 | TREND MICRO INCORPORATED | Method and apparatus for detecting a presence of a computer virus |
6161130, | Jun 23 1998 | Microsoft Technology Licensing, LLC | Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set |
6192512, | Sep 24 1998 | TREND MICRO INCORPORATED | Interpreter with virtualized interface |
6279128, | Dec 29 1994 | TREND MICRO INCORPORATED | Autonomous system for recognition of patterns formed by stored data during computer memory scrubbing |
6622134, | Jan 05 1999 | TREND MICRO INCORPORATED | Method of constructing data classifiers and classifiers constructed according to the method |
6650890, | Sep 29 2000 | GOOGLE LLC | Value-added electronic messaging services and transparent implementation thereof using intermediate server |
6711583, | Sep 30 1998 | IBM Corporation | System and method for detecting and repairing document-infecting viruses using dynamic heuristics |
6732157, | Dec 13 2002 | McAfee, Inc | Comprehensive anti-spam system, method, and computer program product for filtering unwanted e-mail messages |
6789200, | May 18 2000 | TREND MICRO INCORPORATED | Method of automatically instituting secure, safe libraries and functions when exposing a system to potential system attacks |
6813712, | May 27 1999 | TREND MICRO INCORPORATED | Viral replication detection using a counter virus |
7021534, | Nov 08 2004 | OVERTOUCH REMOTE L L C | Method and apparatus for providing secure document distribution |
7191239, | Aug 02 2000 | CHANNEL IP B V | Method and system to customize and update a network connection application for distribution to multiple end-users |
7287060, | Jun 12 2003 | Oracle America, Inc | System and method for rating unsolicited e-mail |
7483984, | Dec 19 2001 | BOINGO WIRELESS, INC | Method and apparatus for accessing networks by a mobile device |
7802298, | Aug 10 2006 | TREND MICRO INCORPORATED | Methods and apparatus for protecting computers against phishing attacks |
8023974, | Feb 15 2007 | TREND MICRO INCORPORATED | Lightweight SVM-based content filtering system for mobile phones |
20020090089, | |||
20030145197, | |||
20040002932, | |||
20040006747, | |||
20040073617, | |||
20040128355, | |||
20040148330, | |||
20050015452, | |||
20050015626, | |||
20050076241, | |||
20050108340, | |||
20050120019, | |||
20050144241, | |||
20050160330, | |||
20050192992, | |||
20050210116, | |||
20050240617, | |||
20050286522, | |||
20050289148, | |||
20060031306, | |||
20060031318, | |||
20060031373, | |||
20060064374, | |||
20060070126, | |||
20060101120, | |||
20060123464, | |||
20060123478, | |||
20060149821, | |||
20060168006, | |||
20060168066, | |||
20060282888, | |||
20070022075, | |||
20070039038, | |||
20070094500, | |||
20070112774, | |||
20070112814, | |||
20070282739, | |||
20070283000, | |||
20080016358, | |||
20080028444, | |||
20080082662, | |||
20080114709, | |||
20080153513, | |||
20080172741, | |||
20080196085, | |||
20080263660, | |||
20110154496, | |||
20130019310, | |||
EP1377892, | |||
WO2084459, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Sep 23 2011 | TREND MICRO INCORPORATED | (assignment on the face of the patent) | / | |||
Sep 27 2011 | CHANG, CHIA-CHI | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027052 | /0237 | |
Sep 27 2011 | YEN, SHENG-CHUAN | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027052 | /0237 | |
Sep 27 2011 | YEH, CHE-FU | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027052 | /0237 |
Date | Maintenance Fee Events |
Oct 11 2017 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Oct 15 2021 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Apr 15 2017 | 4 years fee payment window open |
Oct 15 2017 | 6 months grace period start (w surcharge) |
Apr 15 2018 | patent expiry (for year 4) |
Apr 15 2020 | 2 years to revive unintentionally abandoned end. (for year 4) |
Apr 15 2021 | 8 years fee payment window open |
Oct 15 2021 | 6 months grace period start (w surcharge) |
Apr 15 2022 | patent expiry (for year 8) |
Apr 15 2024 | 2 years to revive unintentionally abandoned end. (for year 8) |
Apr 15 2025 | 12 years fee payment window open |
Oct 15 2025 | 6 months grace period start (w surcharge) |
Apr 15 2026 | patent expiry (for year 12) |
Apr 15 2028 | 2 years to revive unintentionally abandoned end. (for year 12) |